A Rising Threat: Phishing and Crypto-locker Viruses

Over the past several years, two types of cyber-attacks have become increasingly prevalent in the SMB segment: phishing and crypto-locker style viruses. Fortunately, both are entirely preventable. Additionally, there are numerous steps which can be taken to mitigate the damage to the business and loss of income due to lost productivity.

First, it is important to define and differentiate between the two types of attacks. Fortunately, both attacks require action on the part of the end user. Unfortunately, because of this, they often run with the user’s permissions, which if security permissions are not set correctly, can be devastating to shared resources.

Phishing Attacks: Tricks to Transfer Money

Phishing most often involves an email sent with a spoofed (faked) header. These emails are most often sent to finance staff, and purport to be from senior company leadership. They are not very sophisticated, but are often very convincing. They will usually ask for a wire transfer of some kind, typically to an entity that sounds legitimate. Proper accounting controls and careful scrutiny of these emails are the best prevention. Educating finance and accounting staff by showing them how to determine if an email is actually from company leadership is also of paramount importance. There are many simple checks that, with training, any staff member can be trained to perform. This type of attack rarely affects company data, but can result in a significant loss of funds.

Crypto-Locker Attacks: Holding Your Data Hostage

Crypto-locker attacks use a similar profile. They usually operate by sending a legitimate looking email containing an “unpaid invoice” or some other document that looks like a PDF, and would normally demand action on the part of an un-wary user. These attachments contain malicious code that executes under the user’s profile. The basic version of these viruses scans for all drives mounted to the user’s PC (either local or network), and proceeds to encrypt all files contained in those drives. Then encryption is usually 128 and 256 bit and is effectively unbreakable. In each directory, a file is placed with information allowing the victim to pay a ransom via credit card. Supposedly, this ransom will then provide an unlock key. Sometimes ransoms are honored, but often they are not.

Because these attacks do not usually modify sensitive system files, they often run right past anti-virus software. The best way to prevent this type of attack is vigilant users. If the email is not from a source they immediately recognize, or even if it is, users must be educated to refer the email to their technical resources to further review the email and verify it is from the intended source. Since no one is perfect, the frequency of crypto attacks also further underscores the need for good backups, and monitoring to ensure the backups are up to date.

Crypto attacks also underscore the need for strict network access permissions to further limit the effects of a user being infected. This is of paramount importance for companies with large data sets, where the restore process can take 24 hours or more. As the attacks have gotten more sophisticated, many of them are now also capable of damaging VSS (Volume Shadow Copies – or “snapshots”) of files, which used to be a very lightweight and convenient way to undo the encrypted files.

Up next: preventative measures, and what to do if you’ve been attacked.